Slashdot Log In
Are IT Security Professionals Less Happy?
Posted by
timothy
on Sun Aug 24, 2008 02:20 PM
from the less-ignorance-less-bliss dept.
from the less-ignorance-less-bliss dept.
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
Related Stories
Firehose:Are IT security professionals less happy? by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
haughtily (Score:5, Funny)
"As an auditor I search for errors that others have made and haughtily tell them."
You must be very popular.
Good times and Bad times in any job (Score:5, Insightful)
I'm an IT consultant with over 30 years experience since I graduated. There are good times and bad times.
The good times for me were in the mid 1990's when I worked in the old Soviet Block. There, I could see the work I was doing making a difference.
The bad times were when the company I worked for got taken over and the whole job changed. Suddenly we were supposed to apply production line metrics to consulting assignments.
Luckily I got out and started on my own.
However in your job, it does weem that you are predominantly occupied looking at the down side of IT. Keeping those pesky hackers at bay is not a job I'd want to do.
I'm a fairly creative person. So I have concentrated in spending more time doing things outside of IT.
I've just signed a deal to get my first novel published. Not a huge amount of money. But I can concentrate on the positive for at least part of the day.
Perhaps you do really need to take a long hard look at your work life balance.
my 2c (Score:5, Interesting)
I have never *ever* used my job when considering my own self worth.
Jobs are the means to make money. Sure if you enjoy them, great, but if you don't, and you judge your self worth by them, well then you're fucked.
Its better to have other measures, other means to judge how well you are doing in life. For me its my open source coding, and my amateur science efforts, as well as being a dad. Any job I do is only, and will only ever be, the means to provide the necessitaties of life, like savings, a home, money for my kid and such.
Ok, that's important, but its not a thing upon which your self image should be based. At least that's how I feel.
I thought system admins were gardeners (Score:5, Insightful)
Why do you think they call them server farms?
Seriously, being a system admin is like being a commercial-grade landscaper or farmer.
If a system admin has a good job, he'll have the authority to decide what to plant/what equipment to install, what to feed it and how often to water it/what scheduled hardware and software maintenance is necessary, etc.
He will also tend the garden/maintain the system and reap and share the rewards for his efforts/get paid and have happy customers or bosses.
Oy vay (Score:5, Insightful)
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day. If you're so worried about offending your sunny disposition maybe you should join a convent.
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
As a member of the IT world, security-related or otherwise, you have intellectual challenges and brain-teasers to deal with on a constant basis. Testing your knowledge and skill, forcing you to re-evaluate whether you're as good as you think you are every step of the way. And yet, even in such a position you're bound to go through times when you find yourself working for some real asshole(s). They're no fun, either, but you have to keep plugging away.
Either that or apply for a job at the factory where they make those "Have A Nice Day!" bumper stickers. Oh wait ... that's in China. Never mind.
Re:Oy vay (Score:5, Insightful)
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day.
Are you saying that because other people can do it then the he/she should too? If so I can't help but ask who are you to tell someone what they can and cannot do? This is known as "minimization" and can be a very ineffective, not to mention damaging, way to communicate with someone.
If you're so worried about offending your sunny disposition maybe you should join a convent.
Can you sense the hostility?
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
That 80% of the population you claim has the same capability to make choices about their life that the other 20% do. People choose what they do for their own reasons, not for yours or mine.
but you have to keep plugging away.
*YOU* might have to keep plugging away but the OP doesn't. That's for him/her to decide. Besides that, 80% of statistics are made up 20% of the time.
You make some good points but I sense a lot of underlying hostility in your comments that, if I saw in myself (and, believe me I have) would eventually force me to take an inventory about where I am in life.
The OP asked a very good question and you have seemingly interpreted it as him griping about his job. Maybe that is the subtext that spawned the question but it is not how the question is presented.
Parent
I work with lots of IA people (Score:5, Interesting)
A good number of them would be checking bags on the way out of BestBuy if they didn't know how to boot a PC.
My experience lately is that security people, generally, are:
a) not intellectually curious,
b) fearful of change,
c) often suspicious of others' motives because they, themselves, have malevolent intentions, and
d) powertrippers, because they've been given power to second-guess solutions they weren't technically-savvy enough to come up with themselves.
It's fun to discuss something like IPv6 with an IA weenie. He doesn't understand it, so it must be a threat!
BTW, I work for a large federal organization, where these people are everywhere.
Less Happy? How About More Happy! (Score:5, Insightful)
I used to be a software developer for many years and am not in IT security. For me, IT security is actually more satisfying. I'd much rather be the person responsible for finding security weaknesses and assessing risk than the person responsible for getting high quality systems built under tight deadlines.
When you present your security assessment findings to the developers/engineers, there's no need to be haughty about it. Nobody's perfect and every system is going to have some bugs and weaknesses in it. Just present the risks in a matter of fact way so that the people in charge will understand and can make informed decisions on what to fix and how quickly.
Also, when you do security assessments / pen tests, why not also include a section in your report where you tell the developers what they're doing well from a security standpoint? I always do this, which helps to balance out the negative aspects of a pen test makes the developers feel good before I show them what they need to improve on.
You want answers? (Score:5, Funny)
No.
What kind of influence has being an IT security professional had on your general attitude towards life?
I beat my wife.
What helps you stay out of pessimism and cynicism?
Beer.
Is protecting existing things really as good as building new ones?
No, not really.
Sorry, am I being too negative here?
The answer (Score:5, Funny)
ah: number of happy IT Security Professionals
au: number of unhappy IT Security Professionals
bh: number of happy non-IT-Security Professionals
bu: number of unhappy non-IT-Security Professionals
The answer is yes if au/(au+ah) > bu/(bu+bh)
Correlation vs Causation (Score:5, Insightful)
Hasn't it been fairly well established that more intelligent people are less likely to be happy in general? Being good at IT security (and not just an appliance operator, trained to run a few tools and read the generated reports) requires a fair amount of creative thinking and intelligence. I've worked in the field in the past, and I don't think it's specifically the adversarial mindset that causes unhappiness. I actually had a lot of fun doing that stuff - at least, when my work was appreciated by those I was advising and I wasn't seen as an interloper. That depends more on people skills, both on the working level and in management.
On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.
Since then I've been self-employed, doing ten times as much work but I'm happier.
Thankless job (Score:5, Insightful)
Think about it, you have to constantly deal with user mistakes or quite often the mistakes of others and correct them. By correcting someone's mistake you are showing them their faults, not generally a good idea if you want people to be nice to you.
Therefore you end up with user aggression towards the people who provide their computer support.
And when it's the fault of faulty hardware they blame you, you can't win.
Wouldn't this threory apply elsewhere? (Score:5, Interesting)
Wouldn't cops and military personnel also be extremely unhappy as well, based on this?
Wouldn't people who work in demolitions, tearing down buildings, be very unhappy?
Wouldn't this mean that anyone working in a job that had a potential negative impact on others, also be very unhappy? I mean with gas prices what they are, isn't the guy working at the gas station feeling miserable, because people hate paying as much as they are for gas, and he is the front-line representative seeing these reactions?
Too busy (Score:5, Funny)
If it floats your boat (Score:5, Insightful)
If you say you're happy, then why question that?
All I know is that when I worked with mainframes there was no such job classification as "security professional" unless you count the people in charge of guarding the building.
When one mainframe needed to communicate with another we did so over leased lines, and the notion of receiving an executable from another mainframe and running it automatically I don't think would have ever occurred to anyone.
While you might conclude that having a powerful computer on everyone's desktop makes the security exposures we have today inevitable, I don't think it necessarily follows from that that enterprise computing should be as vulnerable as it has gotten. Obviously the "PC revolution" has not resulted in economies of scale, quite the opposite. How many orders of magnitude has growth in enterprise IT gone through? I guarantee you right here an Slashdot there are people who see no problem in downloading large chunks of sensitive data to a machine (even a laptop) outside the data center, for either temporary fiddling, local cache, or whatever and then (if the machine hasn't gotten lost or broken) uploading it to the corporate database overlaying intermediate transactions.
I talk to people working in these environments quite frequently who just don't have a clue. Someone in your job has to not only constantly try and stay a jump ahead of crackers (not hackers!) but also fight with people who are supposed to be on your side about how rules you impose keep them from getting their job done (or so they think). Our profession has been considerably dumbed down in my opinion by the advent of desktop computing. There is no solution in sight. That's why I would find a job like yours unappealing.
Good or bad (Score:5, Insightful)
In this regard, they likely are miserable people but frankly, you should have people in your security department that are jazzed about IT and security. Not someone who flipped a quarter between CPA and IT professional.
Get a wife/girlfriend (Score:5, Funny)
This is Slashdot, so my comments won't be popular here:
Get a wife or a girlfriend and be *her* penetration tester. You might find a new joy in bringing your work home!
I totally identify with this... (Score:5, Interesting)
The security mindset can definitely do long term harm, in my opinion, assuming you're not careful that is. In order to be really good at it you need to be thinking about new potential exploits all the time, and it's really easy to let that rub off in your ordinary life.
I started seeing trivial security holes everywhere... everything from what's wrong with security labels, and tabs, on food products, and "tamper-proof" pharmacy jars to flaws in ATM vestibule security... you name it.
Honestly I kind of started developing mini-phobias or something about things like, take the security labels on food items. Let's look at a plastic mustard dispenser. Underneath the screw on top it comes with a little tab that you rip off, and somehow this keeps it safe from tampering during the period between when the manufacturer creates the product and when you purchase it.
It's absolute nonsense, and does NOTHING to stop anyone from doing anything to the contents of the mustard dispenser. Should someone want to insert a harmful substance into the bottle it could still be done with a very thin needle. It's really there just to appease the masses into thinking the product is somehow made "safe" by the introduction of that little security tab.
So I think about that, then I start to think... oh man, even my mustard's not safe, what if someone did something to it!?!?
It's ridiculous, and completely irrational. I don't think in the history of the modern food distribution system has anything ever happened to anyone's mustard. We all hear horror stories about Halloween candy, and over the counter medicine but I think in large part that stuff is all urban legend.
I think absolutely, yes the security mindset can cause mental health problems, in minor ways for some, and for others who are more prone to thinking negative thoughts perhaps in major ways.
The key, I think, with the security profession is that in order to stay on top of the game you need to always be thinking about how the next attack could arrive. Criminals are creative, and so must be the security people as well. In training your mind to think this way I can see how people would find it easy to become unhappy in other areas of life too.
I no longer do security work, but it's not because of finding it difficult to keep that work / life balance alive (I just got another better opportunity in a different sector). Still to this day I have some lingering security thoughts about things, but all I can do is try to think logically about them.
Just because something is insecure that doesn't mean it's worth worrying about. There's a big incentive for criminals to find any way possible to gain access to a sensitive or desirable computer system, but there's very little gain in tampering with a bottle of mustard ;).
As you stated in your question, it sounds more like you're starting to see the pessemistic side of things everywhere. Everyone's a potential threat. I think no matter what it is it's a similar expression of the same issue: security people get paid to do nothing but worry.
It's not a totally correct analogy, but I think it serves well enough. Now that I'm out of the security business I am pretty thankful. I never realized how much of a burden it was until it was gone. The less time I spend thinking about potential security holes the better I feel in general :). I think it's safe to say security pro just isn't the job for me... perhaps others are made for it.
Seriously though I don't know how people do it. How DO you do that job and not immediately size up threats? How do you not instantly look for the gaping security hole in the access panel on the ATM you're using? How do police men not become jaded and see the potential crime in every situation?
I think some people don't... they do become jaded. But others, the ones who stay happy, they just fight through it. I honestly think it's a choice. You are in control of your mind, and you choose what you le
Re:Short Answer (Score:5, Insightful)
Real Question: WHY?
In "traditional" security, people can ascertain the threats on their own - so they are happy to allow the "security" department to interrupt their life (e.g. - using keys to open locks).
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
So, most people who work in IT security are made out to be Mordac [wikipedia.org] - "Preventer of information services".
Parent
re: "traditional security" vs. I.T. security (Score:5, Insightful)
I don't know. In many ways, "security" is never anything more than putting up deterrents to crime. The more of them you implement, the more you create inconveniences for YOURSELF, in the process. It never really ensures the PREVENTION of a crime.
In "traditional" security scenarios, I think people have found a balance they're content with in most cases. (EG. If I want to secure my house against a break-in, I can stick with the "staple items" we universally employ, such as door and window locks. We've pretty much all established that having to find the proper key for one's door to get inside is a minor hassle, vs. the level of crime deterrence it provides. Optionally, people wanting more can buy an alarm system. Much more hassle, expense and inconvenience, but an added layer of protection everyone understands and can opt for or against with a good sense of the pros and cons.)
"Computer security" is largely considered "of little real value" by the public because they (usually CORRECTLY) come to the conclusion that it creates too many impediments to being productive with the computer tools given. I.T. security nazis that demand those "tough to guess" passwords that have to be changed regularly only cause people to have too much trouble signing THEMSELVES in. So to work around this? They start writing the passwords down on things they can easily look at. Problem solved, but security measure largely bypassed.
By the same token, your business can spend thousands and thousands on firewalls and other "network appliances" that all promise to improve security from hackers and outside threats. But one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling, and letting his buddies know they can now get on the LAN from a portable sitting in the parking lot.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need. MOST companies just don't have that much on their network that outside hackers even care to access. The most "sensitive" information is usually just of interest to EMPLOYEES of the company (like salary histories of different people?). So let the one dept. that has to handle that data (H.R.) put extra security measures on it, and keep them from inconveniencing everybody else.....
Parent
Re: "traditional security" vs. I.T. security (Score:5, Interesting)
no, there is quite a bit of liability involved in IT now. Not properly protecting salary and HR files can be a criminal offense to the company owners.. you have to do it. But you are correct, security is not really about "preventing" wrongdoing, because somebody that wants to get you will. On the other hand one part is to make enough noise that the honest people know you're watching and aren't lead astray. The other part is logging and auditing what's going on... just like a physical security guard, to know who belongs and who doesn't, then able to prove that in court if you need to.
Good security also keeps people from accidentally messing up your data, and that's the most common and disastrous thing that happens. To only give people the minimum they need, then when 2 months of TPS reports are missing you have a short list of who had access rather than entire departments, and find out the boss deleted them not "some hacker". You also keep unqualified people from screwing things up.
Parent
Re:Short Answer (Score:5, Interesting)
OK, so you can either be a security dick and "haughtily" tell people of their errors, etc, or you can actually help the sysadmins. And I don't mean help by slapping your polished report on the managers desk and think you're helping by listing all the things they've done wrong.
No, get down in the trenches. Build a relationship with the engineers and sysadmins, so that you work together. They'll start coming to you before they make mistakes asking you to help them double check their work. I worked at one shop where the security team was just like this. We'd work with them on what we did, and prevented tons of mistakes before there was ever an issue and things moved to production.
Then you have the security team I work with now, who we simply call "Team No." They're pretty useless, everyone hates ever having to deal with them. They're the type that when you ask for help designing a secure system will respond its not their job. When you question them they'll haughtily respond "I know what I'm doing, I'm a CISSP!!!" Big freakin' deal, I respond, so am I. But the net result is without cooperation, they'll never truly be able to secure our systems.
Please be the kind of security guy that is a help not a hindrance. And then I'm sure you'll start going home at the end of the day feeling much better about yourself.
Parent
Re:Could be a coincidence (Score:5, Insightful)
I'd love to see your security documentation.
"i am a it security professional w/10 yrs exp and i recommend bgr passwds."
I'm guessing you're either full of shit, or have the worst security documentation EVER because you can't use capital letters and you can't write decent English.
Security is more than downloading and installing anti-virus software, you know.
Parent
Re:I'd reply but I'm worried someone will be watch (Score:5, Interesting)
I know a guy in IT security. He's generally a happy person, with a good family life to keep him busy. He plays horn with a band, with practice keeping him busy several times a week. He says that's what keeps him sane.
Parent
Re:happiness... (Score:5, Funny)
Parent